From owner-freebsd-net@freebsd.org Fri Nov 22 09:42:54 2019 Return-Path: Delivered-To: freebsd-net@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 338481B3750 for ; Fri, 22 Nov 2019 09:42:54 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 47KBLQ0VYsz4ZJN for ; Fri, 22 Nov 2019 09:42:54 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk [81.2.117.100]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.infracaninophile.co.uk", Issuer "Let's Encrypt Authority X3" (verified OK)) (Authenticated sender: matthew/mail) by smtp.freebsd.org (Postfix) with ESMTPSA id D0EE3107BA for ; Fri, 22 Nov 2019 09:42:53 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from leaf.local (unknown [88.212.184.97]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: m.seaman@infracaninophile.co.uk) by smtp.infracaninophile.co.uk (Postfix) with ESMTPSA id E1B42F698 for ; Fri, 22 Nov 2019 09:42:51 +0000 (UTC) Authentication-Results: smtp.infracaninophile.co.uk; dmarc=none (p=none dis=none) header.from=FreeBSD.org Authentication-Results: smtp.infracaninophile.co.uk/E1B42F698; dkim=none; dkim-atps=neutral Subject: Re: pf, stateful filter and DMZ To: freebsd-net@freebsd.org References: <20191121151041.GA93735@admin.sibptus.ru> <59ac7be3-b79d-a13e-b64f-cd4dae43b9e4@tuxpowered.net> <20191122061950.GA25286@admin.sibptus.ru> From: Matthew Seaman Message-ID: <3d9c5663-3eb5-fd5a-bd72-041bbe392fe7@FreeBSD.org> Date: Fri, 22 Nov 2019 09:42:50 +0000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:68.0) Gecko/20100101 Thunderbird/68.2.2 MIME-Version: 1.0 In-Reply-To: <20191122061950.GA25286@admin.sibptus.ru> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Language: en-GB Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Nov 2019 09:42:54 -0000 On 22/11/2019 06:19, Victor Sudakov wrote: >>> 2. ICMP traffic in any direction >> Sounds like a bad idea. Why would you do it? > Well, for example, if a host in $inside_net sends a UDP datagram to a > host in $dmz_net which generates an ICMP port unreachable message, I > want the host in $inside_net to actually receive the message. If pf is > THAT stateful and smart, then this rule is not necessary. I believe that pf is clever enough to pass ICMP messages associated with a TCP or UDP connection for which it already has an established state without needing any specific additional rules. BICBW. Cheers, Matthew